I have a few different GL-iNet travel routers: AR300M, MiFi and the USB router.
Is there any way to run Stunnel on any of them, to run OpenVPN through?
I’m an OpenWRT newbie so any help would be appreciated, it’s overwhelming.
Yes that’s what I mean. I’ve noticed some WiFi networks (hotels, airports) are very restrictive and don’t seem to allow even OpenVPN, so I am hoping Stunnel might help me start an OpenVPN connection in those places.
What hotel / airport have you found that you cannot start a OpenVPN connection? The only place I found that blocked everything but browsing was Boise airport in Idaho… I travel constantly and have never found another place blocking VPN’s.
I have had issues simply getting my AR300M connected and in WISP mode (occasionally it cannot see the hotel’s SSID and I have to set it up manually). Once I’m connected OpenVPN is typically not an issue…
Thank you all for opening this issue, with the Deep packet inspection in a lot of countries, the need for Stunnel increase. I figure out how to configure OPENVPN with Stunnel Server on my raspberry pi.
But to install the OPENVPN client With Stunnel in any of the GL-inet routers is my mystery.
Please help us with the Step by step configurations.
1 Like
What hotel / airport have you found that you cannot start a OpenVPN connection? The only place I found that blocked everything but browsing was Boise airport in Idaho… I travel constantly and have never found another place blocking VPN’s.
It happens all the time in international (non-US) hotels, and as you say in airports, mostly frequent flyer lounges.
If your can edit openvpn server configuration, you can use openvpn over stunnel. You should install stunnel ipk via opkg update && opkg install stunnel on router firstly. Then please see here.
2 Likes
Sorry I’m not that good with OpenWRT. Do you mean I have to:
- Install the stunnel ipk on to my router, and
- Edit the .ovpn file, according to your link?
If so, can you give me a step-by-step on “install stunnel ipk via opkg update && opkg install stunnel on router firstly”? Thanks for any help.
Get any SSH program and connect to your router using the same IP as you would in a browser.
Log in as root with the web ui password.
Now you just run the command @kyson-lok wrote you:
opkg update && opkg install stunnel
After that you follow the guide to modify your openvpn connection to use stunnel.
1 Like
The default configuration of most openvpn profiles is to use UDP. It is not common, but some hotels (and mostly airports) block UDP. If your vpn provider also provides TCP configuration files, they will most likely work.
I have been around most of europe and asia at this point (not China) and this method has not let me down yet.
Usually you’d want to prefer the UDP config file as it will be lower latency, but if it doesn’t work, you can revert to TCP. Also on spotty/weak wifi tethered connections, TCP is better at holding a connection.
1 Like
Since he wants to use Stunnel with is also TCP, it won’t be an issue. 
Running two layers of encryption will probably half the throughput. The 400MHz processor is already struggling with OpenVPN. I would not recommend it.
2 Likes
To get around most blocks (not Egypt cos they check packet length and other things for deep blocking, and server white lists), the best way would be to change to a common port like 443, enable tls-crypt on the server and sure use TCP, but i haven’t seen any reports of needing to change to TCP with tls-crypt enabled.
It will still look like OpenVPN traffic though.
To completely hide the VPN traffic to make it look like pure TLS, Stunnel is the way to go, and using something like SSLH, means that you can run both HTTPS server and OpenVPN on the Stunnel port, and SSLH will forward the traffic depending on the handshake. This means that any attacker that actually tries to connect to the server (some advanced firewalls will try to connect via HTTPS and since Stunnel + OpenVPN alone will make that fail, the firewall will block the connection anyway), will see a normal run of the mill HTTPS server on the other end (he could test for openvpn too but that is just something you have to accept).
And another bummer too, since HTTPS connections are usually short, the firewall can just cut connections of xxx minutes or seconds, and that would kill large downloads and also any VPN connections that did manage to get by.
I have an AsusWrt router, and there is not much choice there, just OpenVPN.
So in the end it depends on how your configuration is allowed to look like, and ofc performance.
2 Likes
99.9% of the time the hotel or airport is just blocking UDP because they don’t want people running bittorrent sucking up all the bandwidth. They really don’t have the IT staff or inclination to set up what your talking about.
1 Like
It’s so easy to set up everything in the right way, and have it work all over the world.
The other users in this thread might not just be using it in the US where its a simple UDP block.
1 Like